fix: unified 2.0.5 branch for readiness and installer regressions

[hessius]

Summary

Unified branch for 2.0.5 readiness fixes, including installer regressions, light theme contrast, and profile generation.

Changes in this PR

Profile generation fix (latest):

• Add settings hydration in lifespan() to populate os.environ from settings.json when env vars are empty on container restart (with masked-value guard)
• Write hydrated values to s6 container environment for child services
• Expand parse_gemini_error() to detect auth/API key errors and return user-friendly messages instead of raw Gemini CLI output
• Strip noise lines (YOLO mode, etc.) from error fallback text
• Strip display-only keys (geminiApiKeyConfigured, geminiApiKeyMasked) before persisting settings to prevent corrupted values in settings.json
• Increase nginx proxy + subprocess timeouts from 300s to 600s for long-running profile generation
• Add 4 new tests: auth error detection (2), settings hydration (2)

Light/dark theme tag contrast fix:

• Replace Tailwind dark: utility classes on tags with custom CSS classes (tag-body, tag-flavor, etc.) to bypass Tailwind v4 compat mode @media(prefers-color-scheme:dark) override
• Add explicit .dark .tag-* selectors in index.css
• Update tags.ts and tags.test.ts for new class names

Earlier fixes (already in branch):

• Fix /api/* route aliases for coffee generation endpoints (404 regression)
• Add actionable frontend error mapping for profile generation failures
• Classify profile validation and timeout Gemini errors

Validation

• apps/server: 575 Python tests passed (test_main.py)
• apps/server: 19 logging tests passed (test_logging.py)
• apps/web: 251 vitest tests passed
• root: 161 BATS tests passed
• Profile generation verified via API (curl) and browser UI
• CI: All workflows passing (Test Suite + Build and Publish)

[Copilot]

Pull request overview

This PR unifies two feature branches for v2.0.5: a version bump / CI Bun retry fix and a light-theme contrast fix for profile tags. It also merges governance and installer fixes from PR #221.

Changes:

• Version bump to 2.0.5 across VERSION, apps/web/package.json, and the Bun base image in the Dockerfile
• Installer fixes: remove unsupported --progress plain flags from all docker compose calls, add exit 1 on compose up failure, update Watchtower default host port from 8088 → 18088
• Light-theme tag contrast fix: refactor FormView.tsx to use the shared getTagColorClass helper with category-aware, dark-mode-safe CSS classes

Reviewed changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
VERSION	Bumped to 2.0.5
apps/web/package.json	Version bumped to 2.0.5 (kept in sync with VERSION)
docker/Dockerfile.unified	Bun base image pinned to 1.3.10-alpine
.github/workflows/tests.yml	3-attempt Bun setup retry with version 1.3.10 pinned across all 4 CI jobs
docker-compose.watchtower.yml	Default Watchtower host port changed from 8088 to 18088 to avoid conflicts
scripts/install.sh	Removes --progress plain flag; adds exit 1 on compose up failure
tests/test_install.bats	New tests verifying --progress removal and installer fail-fast; updates port assertion
apps/web/src/views/FormView.tsx	Tags now use getTagColorClass() for category-aware, contrast-safe styling in both themes
apps/web/src/lib/tags.test.ts	Adds explicit dark-mode override assertions to tag color test suite
apps/web/src/components/SettingsView.tsx	Adds watchtower_endpoint/watchtower_error to interface; displays error inline
apps/server/api/routes/system.py	Introduces _probe_watchtower_api helper probing 4 known Watchtower endpoints; refactors get_update_method and trigger_update to use it
apps/server/api/routes/profiles.py	Adds data URI decoding, settings IP fallback, and explicit httpx.TimeoutException/HTTPError handlers
apps/server/test_main.py	New tests for TestUpdateMethodEndpoint and five new TestImageProxyEndpoint tests
.github/copilot-instructions.md	Adds session governance section establishing tasks.md precedence and release authorization rules

[Copilot]

Pull request overview

Copilot reviewed 17 out of 17 changed files in this pull request and generated 4 comments.

[hessius]

@copilot open a new pull request to apply changes based on the comments in this thread

[Copilot]

@hessius I've opened a new pull request, #223, to work on those changes. Once the pull request is ready, I'll request review from you.

[Copilot]

Pull request overview

Copilot reviewed 25 out of 25 changed files in this pull request and generated 3 comments.

[Copilot]

The authentication error check at step 3 in parse_gemini_error includes 'timeout' in the network/connection errors check (line 357): if 'network' in error_text_lower or 'connection' in error_text_lower or 'timeout' in error_text_lower. This check runs before the new timeout check at lines 377–385.

If a Gemini CLI error message contains both 'timeout' and 'timed out after' (e.g. "Gemini CLI timed out after 600s"), the 'timeout' substring will match the network/connection check first, returning "Network error connecting to Gemini API" instead of the more specific "Profile generation timed out" message. The timeout-specific check at lines 377–385 will never be reached for such errors.

Consider moving the timeout-specific check (lines 376–385) before the general network/connection check, or removing 'timeout' from the network/connection condition so it falls through to the more specific check.

[hessius]

Fixed in 8433d96 — moved the timeout-specific check (timed out after, deadline exceeded, took too long) before the general network/connection check so the more specific message is returned.

[Copilot]

The _write_s6_env function introduced in main.py (lines 82–95) is a duplicate of the already-existing _update_s6_env function in apps/server/api/routes/system.py (line 1140). Both functions write a value to /var/run/s6/container_environment/. The version in system.py is more complete (it logs a debug message when the dir is absent, and logs success/failure with a request_id). This duplication increases maintenance burden. Consider extracting both into a shared utility module (e.g., utils/s6_env.py) or importing _update_s6_env from system.py in main.py.

Suggested change

	s6_env_dir = "/var/run/s6/container_environment"
	if not os.path.isdir(s6_env_dir):
	return
	try:
	with open(os.path.join(s6_env_dir, var_name), "w") as f:
	f.write(value)
	except Exception:
	pass # best-effort; logged at caller site if needed
	# Delegate to the shared implementation in api.routes.system to avoid
	# duplicating s6 environment update logic in multiple places.
	try:
	from api.routes.system import _update_s6_env
	except Exception:
	# If the route module cannot be imported (e.g. during early startup
	# or in restricted test environments), fall back to a no-op to avoid
	# breaking application startup.
	return
	_update_s6_env(var_name, value)

[hessius]

Fixed in 8433d96 — extracted the shared logic to utils/s6_env.py with the more complete implementation (logging, debug messages). Both main.py and system.py now delegate to utils.s6_env.update_s6_env().

[Copilot]

The new translation keys generateFailed404Route, generateFailedTimeout, and generateFailedValidation are only added to the en and sv locale files. The de, es, fr, and it locales are missing these keys. While i18next will typically fall back to the en locale, users with those languages configured will see English strings rather than their native language for these new error messages. The missing keys should be added to all locale files.

[hessius]

Fixed in 8433d96 — added generateFailed404Route, generateFailedTimeout, and generateFailedValidation keys to all four missing locales (de, es, fr, it) with proper translations.